NETWORKING

Pages

Facebook iFrames: Good For Business, Bad For Security?

Legitimate developers will be pleased with the expanded flexibility, but malicious ones will find it easier to introduce malware, security experts warn.

When Facebook made a series of changes to its platform for applications and business pages in February, developers by and large cheered, but some security folks groaned.

One significant change that Facebook had been telegraphing for months was a shift in the technical integration of the tabs displayed on a Facebook business page. For any company trying to create more advanced modes of interaction with customers on Facebook, beyond the chatter of the Wall, Facebook tabs are an important tool. Several prominent consumer product and retail companies like Best Buy, Coca-Cola, and Levis have exploited this medium aggressively. However, until recently Facebook application developers have not been able to use the full range of tools available to them in any other Web application. It used to be you had to code page tabs in FBML -- a Facebook markup language derived from HTML -- and could use only Facebook-approved JavaScript and AJAX commands.

Those limitations went away in February, with the introduction of support for HTML IFrames (inline frames) as the display technology for page tabs. Now, Facebook says it is phasing out support for new FBML apps and page tabs (although existing ones continue to function) in favor of its newer XFBML and JavaScript developer's kit, which works in both Facebook IFames and independent Web pages.

This means you can use any Web page as the source for your page tab content. Just plug the URL into Facebook's app registration form, put in the text you want to appear on the tab label, and add it to your page. Aside from the width of the tab content, which must be under 520 pixels to display properly, there are few if any technical limits on what content can appear in that spot -- use any JavaScript library, use Flash, use Silverlight -- all sorts of things that used to be off limits.

Rik Ferguson, Director of Security Research and Communication at Trend Micro, blogged about the "open JavaScript hole" created by the change the day after Facebook announced it. "While this is no doubt great news for legitimate developers, it will undoubtedly make life for those with malicious intent much easier too," he wrote. For example, a tab can now include JavaScript that redirects your browser to a Web site containing malicious software.

I saw Ferguson's post shortly after it appeared and felt inclined to dismiss it, since at the time I was having fun experimenting with the possibilities of iFrame-based integration, including a WordPress plugin that exploits this capability.

But I heard the case against IFrames again last week in a conversation with Perimeter E-Security chief technology officer Andrew Jaquith. "Let's face it, iFrames are basically evil -- they always have been," he said.